[ISN] Security UPDATE -- Strengthen Browser Security with Third-Party Solutions--October 6, 2004

InfoSec News isn at c4i.org
Thu Oct 7 05:49:21 EDT 2004

==== This Issue Sponsored By ====

Download *Free eBook* on Active Directory Security

Get thawte's New Step-by-Step SSL Guide for MSIIS


1. In Focus: Strengthen Browser Security with Third-Party Solutions

2. Security News and Features
   - Recent Security Vulnerabilities
   - JPEG GDI+ Trojan Unleashed
   - More JPEG GDI+ Exploits
   - Welcome to the "You've Been Hacked" Blog

3. Security Matters Blog
   - Trojans with a Twist

4. Instant Poll

5. Security Toolkit
   - FAQ
   - Security Forum Featured Thread

6. New and Improved
   - Spam Solution Adds User Quarantine Features


==== Sponsor: ScriptLogic ====
   Download the FREE eBook on Active Directory Security today and gain 
valuable guidance and real-world examples for creating the most 
secure Active Directory solutions. Published by ScriptLogic 
Corporation, all 4 chapters are now available individually or as one 
complete PDF. Download "The Administrator Shortcut Guide to Active 
Directory Security" today.


==== 1. In Focus: Strengthen Browser Security with Third-Party Solutions 
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

If you subscribe to our WinInfo email newsletter, then you've probably 
read stories by Paul Thurrott that discuss how Microsoft will handle 
improvements to Internet Explorer (IE) in the future. If you don't 
subscribe to the newsletter and want to, then visit the home page below, 
where you'll find a link to the subscription form. 

As you know, it's been quite some time since Microsoft released a new 
version of the browser. Meanwhile, other browsers, such as Opera 
Software's Opera and Mozilla Firefox, have added considerable new 
features and functionality. But Microsoft has decided that it will 
introduce future IE improvements via service packs--it won't offer newer 
versions of the Web browser as standalone software because the company 
considers IE an integral part of the OS. 

The recent Windows XP Service Pack 2 (SP2) offers improvements to the 
underlying security of the OS and various components, including IE. 
Microsoft isn't planning to offer similar improvements to Windows 2000 
and earlier OSs. 

Many of you can't upgrade to XP yet for a variety of reasons, but in the 
meantime, you still want to improve overall system security. You can 
gain some of XP SP2's improvements by using third-party products. In at 
least one case--Windows Firewall--third-party products are typically 
superior. Because Windows Firewall allows all outbound connections 
without any means to control them, it's probably a wise idea to use a 
third-party firewall on systems on which you require precise control 
over network traffic. 

To improve the IE security on Windows 2000 and previous OSs, three 
options immediately come to mind, although there are probably others. 
One option lets you keep using IE as your primary browser; the other two 
options recommend that you use another browser as your primary browser 
and use IE only when you have to for whatever reason. I describe the 
options below in no particular order.

One option is to add PivX's Qwik-Fix Pro to your systems to help you 
modify IE zones to lock down the browser and prevent malware from 
exploiting the system. Another option is to purchase a browser such as 
Winferno Software's Secure IE 2004, which is an IE replacement that 
offers better security than IE versions prior to XP SP2's. The third 
option is to use a free third-party browser such as Mozilla Firefox or 
Opera Software's Opera, both of which offer functionality similar to 
that found in IE under XP SP2. 

Qwik-Fix Pro and Secure IE 2004 cost money, which of course is 
reasonable to expect. Opera is available for free if you're willing to 
view banner advertising while you use it; if you buy it, you can use it 
ad-free. Firefox is open source and as such is available for free and 
without banner advertising. 


==== Sponsor: thawte ====
   In need of a SSL Certificate for your Microsoft Internet Information 
Services (MS IIS) web server? This guide will provide a solution for 
your need by demonstrating how to test, purchase, install and use a 
digital certificate on your MSIIS web server. Best practices are 
highlighted throughout this guide to help you ensure efficient 
ongoing management of your encryption keys and digital certificates. 
You will also discover how a particular digital certificate can 
benefit your business by addressing unique online security issues to 
build customer confidence. 


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

JPEG GDI+ Trojan Unleashed
   It was only a matter of time before someone unleashed malware that 
exploits the JPEG GDI+ vulnerability. Over the last two weeks, 
various people have released proof-of-concept code. Now someone has 
unleashed a JPEG file that causes a buffer overrun and runs shell 
code on the affected system. 

More JPEG GDI+ Exploits
   As could probably be expected, intruders have begun using AOL Instant 
Messenger (AIM) and other methods to exploit unsuspecting users who 
have the JPEG GDI+ vulnerability. At least two new Trojan Horse 
programs have been unleashed. 

Welcome to the "You've Been Hacked" Blog
   We've added a second security blog, "You've Been Hacked," hosted by 
Brett Hill. Over the next few months, Hill will host a frank 
discussion of security issues related to Microsoft OSs, services, and 
products. As the blog title suggests, the blog will focus on what to 
do if you think you've been hacked. We want to hear from you about 
your experiences, questions, and concerns.


==== Announcements ====
   (from Windows IT Pro and its partners)

Want the "69 Top SQL Server Tips?"
   Order SQL Server Magazine today and get 30% off the cover price and 
receive free, subscriber-only access to the entire SQL Server article 
archive--filled with thousands of exclusive articles, insider notes, 
and savvy instructions. Bonus--subscribe now and get the "69 Top SQL 
Server Tips" guide free! This is a limited-time offer, so order now.

Get the Charter Issue of Windows IT Pro!
   Windows & .NET Magazine is now Windows IT Pro! Act now to get our 
special charter issue rate of just $39.95--that's 52% off the cover 
price! The September issue shows you how to plug DNS holes and select 
the best scripting editor, plus learn more about the business side of 
IT. And discover the top 10 PC trends we think you need to keep an 
eye on. This is a limited-time offer, so order today!


==== 3. Security Matters Blog ====
   by Mark Joseph Edwards, http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BL3Z0Ae

Check out this recent entry in the Security Matters blog:

Trojans with a Twist  
   Trojan horse programs are a bad enough problem because they can allow 
remote access to a user's computer. One would think that having a 
firewall in place would prevent a Trojan from opening back doors in 
case of infection. But Windows Firewall won't prevent the 
Win32.Surila.K Trojan from opening a back door on your system. 

==== 4. Instant Poll ====

Results of Previous Poll:
Have you experienced difficulty determining which of your systems need 
the latest Microsoft security patches (MS04-027 and MS04-028)?
   The voting has closed in this Windows IT Pro Security Hot Topic 
nonscientific Instant Poll. Here are the results from the 20 votes.
   - 65% Yes
   - 20% No
   - 15% I'm not sure
   (Deviations from 100 percent are due to rounding.)

New Instant Poll:
Have you been affected by a recent JPEG GDI+ exploit?
   Go to the Security Hot Topic and submit your vote for 
   - Yes
   - No, we've patched our systems
   - No, we've patched our systems and removed vulnerable JPEG images
   - No
   - I'm not certain

==== 5. Security Toolkit ==== 

   by John Savill, http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BL3a0Al 

Q: Has Microsoft updated any of the Windows Support Tools in Windows XP 
Service Pack 2 (SP2)?

Find the answer at

Security Forum Featured Thread: Disabling .vbs Files in an OU
   A forum participant is looking for a way to use a policy to disable 
the use of some .vbs files in an Active Directory (AD) organizational 
unit (OU) while allowing the use of some .vbs files that he approves 
of. His understanding is that he can implement only an "all or 
nothing" policy and wonders whether anyone knows a way around this 
limitation. Join the discussion at 


==== Events Central ====
   (A complete Web and live events directory brought to you by Windows 
IT Pro at http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BK3L0AP )

Get Your Fax Servers Up and Running Smarter, Faster, and More 
   In this free Web seminar, you'll learn the latest trends and 
developments in the fax market, as well as learn best practices for 
seamless integration with Microsoft Exchange Server and Outlook with 
real-time fax technologies. Find out integration faxing architecture 
and multifunction device tactics, deployment techniques, and more. 
Register today!


==== 6. New and Improved ====
   by Renee Munshi, mailto:products at windowsitpro.com

Spam Solution Adds User Quarantine Features
   Trend Micro announced new End User Quarantine (EUQ) features for 
Trend Micro Spam Prevention Solution (SPS) to reduce Help-desk 
burdens, to help corporate users manage their own "approved senders" 
lists, and to improve accuracy and effectiveness. EUQ, a free add-on, 
quarantines suspicious "graymail" messages (i.e., messages not 
clearly identifiable as spam) into Microsoft Exchange Server folders 
for each user. Thus, SPS users have instant access to potentially 
important messages and can individually approve any problematic 
senders. EUQ improves SPS's reporting and management capabilities and 
decreases the number of false positives while increasing the spam 
detection rate.

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving you 
time or easing your daily burden? Tell us about the product, and 
we'll send you a T-shirt if we write about the product in a future 
Windows IT Pro What's Hot column. Send your product suggestions with 
information about how the product has helped you to 
mailto:whatshot at windowsitpro.com.

Editor's note: Share Your Security Discoveries and Get $100
   Share your security-related discoveries, comments, or problems and 
solutions in the Security Administrator print newsletter's Reader to 
Reader column. Email your contributions (500 words or less) to 
mailto:r2rsecadmin at windowsitpro.com. If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.


==== Contact Us ==== 

About the newsletter -- mailto:letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/cgi-bin3/DM/y/ehkw0MfYqv0Kma0BKxi0A2
About product news -- mailto:products at windowsitpro.com
About your subscription -- mailto:securityupdate at windowsitpro.com
About sponsoring Security UPDATE -- mailto:emedia_opps at windowsitpro.com


This email newsletter is brought to you by Windows IT Pro,
the leading publication for IT professionals deploying Windows and
related technologies. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2004, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list